The anti-forgery cookie token and form field token do not match in MVC 4

Question

I'm using the default login module in ASP.NET MVC 4. I did not change any code in the default application and i hosted it on a shared server.

After i logged in using default login page. i kept the browser idle for some time. Then obviously application redirected to the login page when i try to perform any controller action with [Authorize] attribute.

Then i try to login again and it gives an error when i click on login button.

The anti-forgery cookie token and form field token do not match.

enter image description here

LogIn action

// POST: /Account/Login

        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        public ActionResult Login(LoginModel model, string returnUrl)
        {
            if (ModelState.IsValid && WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
            {
                return RedirectToLocal(returnUrl);
            }

            // If we got this far, something failed, redisplay form
            ModelState.AddModelError("", "The user name or password provided is incorrect.");
            return View(model);
        }

Could the shared host be messing with your cookies? `AntiForgeryToken` gives the visitor a cookie called `__RequestVerificationToken`, and also puts it in a hidden field on the page. When you call the server, it compares the value you have in your cookie and whatever was sent with the Form. — Artless, Aug 07 '13 at 07:55
@ta.speot.is i haven't added it to the form since it's present in the controller. It need to be present at one of the places right? in the form or in the controller? — chamara, Aug 07 '13 at 08:30
The attribute is called `ValidateAntiForgeryToken`. It `Validate`s the `AntiForgeryToken`... — ta.speot.is, Aug 07 '13 at 08:30
@ta.speot.is sorry for my previous comment. @Html.AntiForgeryToken() does exists in the form — chamara, Aug 07 '13 at 08:40
Read this.May be helped to you.http://stackoverflow.com/questions/7766975/requestverificationtoken-does-not-match and http://stackoverflow.com/questions/5767768/troubleshooting-anti-forgery-token-problems — Sampath, Aug 07 '13 at 09:00

score 50 · Accepted Answer · edited Dec 28 '15 at 08:23

50

I resolved the issue by explicitly adding a machine key in web.config.

Note: For security reason don't use this key. Generate one from https://support.microsoft.com/en-us/kb/2915218#AppendixA. Dont use online-one, details, http://blogs.msdn.com/b/webdev/archive/2014/05/07/asp-net-4-5-2-and-enableviewstatemac.aspx

 <machineKey validationKey="971E32D270A381E2B5954ECB4762CE401D0DF1608CAC303D527FA3DB5D70FA77667B8CF3153CE1F17C3FAF7839733A77E44000B3D8229E6E58D0C954AC2E796B" decryptionKey="1D5375942DA2B2C949798F272D3026421DDBD231757CA12C794E68E9F8CECA71" validation="SHA1" decryption="AES" />

Here's a site that generates unique Machine Keys:

http://www.developerfusion.com/tools/generatemachinekey/

edited Dec 28 '15 at 08:23

Imran Qadir Baksh - Baloch

32,612
68
179
322

answered Aug 08 '13 at 06:58

chamara

12,649
32
134
210

10

This solved the problem right away for me. Just as a note, this is placed inside the tag in the web.config. – JensB Aug 29 '13 at 20:06
24

Hopefully that's not the actual machine key you placed in your application but instead you generated a new one :-) – Darin Dimitrov Dec 27 '13 at 16:13
2

hello .. i got the same problem as OP described. I tried this solution by getting one key from here http://aspnetresources.com/tools/machineKey and doesn't fix the problem. Only difference is though, i don't always see this error. Only sometimes. Mine is on GoDaddy shared hosting. any thoughts? – Laurence Jun 07 '14 at 17:09
4

As per [Microsoft's docs](https://support.microsoft.com/en-us/help/2915218/resolving-view-state-message-authentication-code-mac-errors#AppendixA) you should never use a 3rd party tool or website to generate machine keys. Always do it yourself. – barnacle.m Oct 02 '17 at 10:36
5

You can generate them in IIS as well by clicking on any website, clicking on "Machine Key" under the "ASP.NET" section in the middle, then clicking on "Generate Keys" on the right. – computrius Jan 10 '19 at 15:37

score 11 · Answer 2 · edited May 23 '17 at 11:47

11

Another reason for having this error is if you are jumping between [Authorize] areas that are not cached by the browser (this would be done on purpose in order to block users from seeing protected content when they sign out and using the back button for example).

If that's case you can make your actions non cached, so if someone click the back button and ended up on a form with @Html.AntiForgeryToken() the token will not be cached from before.

See this post for how to add [NoCache] ActionFilterAttribute: How to handle form submission ASP.NET MVC Back button?

edited May 23 '17 at 11:47

Community

1
1

answered Jun 22 '15 at 04:53

Yovav

2,557
2
32
53

3

Scanner, you're missing the point here, Ctrl+F5 does clear the cache, but internet users will not know that they need to do that, plus it shouldn't happen anyways. – Yovav Nov 03 '16 at 18:58

score 3 · Answer 3 · answered Aug 07 '13 at 08:14

3

make sure you put the @Html.AntiForgeryToken() in your page's form

answered Aug 07 '13 at 08:14

shimron

596
6
19

score 3 · Answer 4 · answered Dec 27 '13 at 16:12

I had this problem for a long time and assumed it was something wrong with ASP.NET.

In reality, it was the server. I was with WinHost then, and they have a 200MB memory limit. As soon as I had ~20 users on at the same time, my limit was reached. At this point, everyone was logged out and yielded these issues.

score 3 · Answer 5 · answered May 21 '15 at 10:27

3

For me, this was caused by submitting a form using a button tag. Changing this to an input submit tag resolves the issue.

answered May 21 '15 at 10:27

Mike Upjohn

1,251
2
16
38

Mike's suggestion above, plus the hard machinekey did the trick for me. I was getting this consistently while debugging an MVC4 app with user/pass login. – ScottLenart Nov 04 '16 at 23:08
2

@Mike - why does the button tag cause this issue but not an input tag? – Matt Shepherd Aug 05 '19 at 04:47

score 0 · Answer 6 · answered Dec 04 '20 at 09:09

0

In My case "We found that the Site cache was enabled and due to this “anti-forgery” token value was not updating every time, after removing this cache form is submitting."

answered Dec 04 '20 at 09:09

Shailesh

554
1
6
29

score 0 · Answer 7 · answered Feb 03 '22 at 15:28

In my case it was related to multiple cookie values set by domain site and subdomain site.

main.com set __RequestVerificationToken = 1
sub.main.com set __RequestVerificationToken = 2

but when request to sub.main.com was sent it used __RequestVerificationToken = 1 value from main.com

The anti-forgery cookie token and form field token do not match in MVC 4

7 Answers7

Linked

Related